MegaUpload Captcha Cracking In JavaScript


This was certainly the last thing we expected to see today. [ShaunF] has created a Greasemonkey script to bypass the captcha on filehosting site Megaupload. It uses a neural network in JavaScript to do all of the OCR work. It will auto submit and start downloading too. It’s quite a clever hack and is certainly helped by the simple 3 character captcha the site employs. Attempting to do the same thing with ReCAPTCHA has proven much more difficult.

UPDATE: [John Resig] explained of how it works.

[via Waxy]

25 thoughts on “MegaUpload Captcha Cracking In JavaScript

  1. The funny thing is the ReCaptcha is actually piggy backing difficult OCR of old texts while also doing a human test. So, if Recaptcha is ever “broken”, they would be solving a significant machine learning problem that would help libraries and text archives world wide.

  2. It’s a OCR neural network captcha decoder…in Javascript…at 486 lines of code.

    I’m just now getting dialog boxes and stuff to draw out in JS and this guy’s building an effing Skynet with it in less lines of js then you see in your average cheesy AJAX page.

  3. Megaupload’s captcha wasn’t particularly mind blowing in terms of character obscurity in the first place. A normalised cross correlation filter could do the job just as easy.

    I have to say, ShaunF’s little neural network code is pretty cool. However, I can see a couple of problems with the neural network approach.

    Neural networks need a training data set (eg. the Megaupload’s captcha images) in order to pre-calculate the weights required for image recognition.

    Its classification reliability will be heavily dependent on the choice of training data. Basically there is a danger of over training, or the neural net becoming too specialised for a particular training data set. In such cases, it would be easy to defeat the neural network by simply changing the CAPTCHA images in a significant way. Realistically speaking, it doesn’t take much effort to change a CAPTCHA font – for example.

    Also, neural networks trained with a much broader data set will have more false positives and false negatives during recognition. Very fiddly.

    Anyone hoping to break Recaptcha in a similar way will have to wait for a few more decades, I’m afraid.

  4. Hi,

    I was trying to bypass the 40 seconds in megaupload.

    Apparently it’s a var who contains the seconds left and change name at each page loading. (looks like x2850, x45698, x76954, …) so I made a greasemonkey script to automaticly find this var name, wich it does but I can’t change his value …

    $bad_english = true;

  5. ha ok … too bad …

    but anyway why can’t I access to his value ?

    alert(” end => “+end+”\r\n this[end] => “+this[end]);

    this returns

    end => x5258
    this[end] => undefined

    And also I red the sources of the captcha thing … it’s mad !

    And THX

  6. returns the same.

    but might be because greasemonkey is executed somehow somewhere else than the var I’m tryin to change.

    Anyway thx ! And too bad for the server countdown !
    Someone knows if this is bypassable ? Like an algo from page id to file id or something like on youtube&co

  7. @eliot True, but words which were unknowns to OCR are then later used as known samples once enough users identify the same unknown word. Hence, their method is still fairly secure.

  8. Now you can earn money for rapidshare.
    Just sign up at below link.Its quick and easy money.Directly transferable to your paypal and alertpay account.
    creating account on paypal is possible without a credit card.
    just skip credit card process.
    All you need is a email id.
    click below:
    $6.00 Welcome Survey After Free Registration!

    or past in browser
    (please do not remove my reffrel id)

    pls help me i have to get at least 75 ppl to sign up.So even if you dont want to earn just sign in.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.